It comes as no surprise that we’re seeing ransomware attacks against Ukraine this week and while attribution is usually a fool’s errand, it’s not a stretch to assume these attacks help one very specific actor.
The use of ransomware as a cover for HermeticWiper has been noted by several firms, most notably Symantec, ESET, and SentinelOne who have provided excellent write-ups on the samples. The malware leverages drivers for a popular disk management application, uses seemingly legitimate code-signing certificates, and was compiled several months before the current crisis in Ukraine - take what you will from that last fact. Reports indicate that several sectors were targeted including financial, defense, aviation, and IT services and that ransomware was used as a cover story with the real intent being to destroy data.
Politco reports that the Conti team has vowed to support the Russian government and would use “all possible resources to strike back at the critical infrastructure of an enemy”. The group behind the ever-popular Conti ransomware is best known for hitting hospitals around the world last year.
NBC and others report that President Joe Biden was presented with cyberattack options to disrupt Russian military operations in Ukraine including cyber effects that impact power, transport, and resupply logistics. In response to additional Russian sanctions, the White House via DHS has started to warn business about the possibility of ransomware attacks as retaliation with CISA issuing a "shields up" alert.
Big Mac fans will be dismayed by a report that the Snatch gang hit McDonald's and is holding ~500GB of corporate data for ransom.
It will not be an easy weekend for SOC teams and IT departments, please send your security colleagues plenty of caffeine-infused beverages.